by Alexander H. Southwell and Snezhana Stadnik Tapia

As with recent years, privacy and cybersecurity law and policy continued to evolve substantially over the course of 2022 in an effort to keep up with technological developments and shifting consumer expectations and policy priorities. Recently, in the tenth edition of Gibson Dunn’s U.S. Cybersecurity and Data Privacy Outlook and Review, we provided a review of some of the most significant developments on this topic in the U.S.

Below we summarize the past year’s developments and future prospects, including the wave of new privacy and cyber laws and regulations at the federal and state levels due in large part to increased attention on protective privacy and cyber hygiene. This past year also saw a substantial uptick in scrutiny and enforcement by federal and state regulators, as well as civil litigation, and we expect this amplified focus on privacy and cybersecurity issues to continue. Although the full impact of these developments is yet to be realized, one thing is clear: in 2023, the flurry of regulatory, enforcement, and litigation activity will likely continue and require close monitoring.

1. Spate of New Privacy and Cyber Laws and Rulemaking

There has been a profound shift in the U.S. regarding privacy and cybersecurity regulation and thinking. Especially on the federal front, Congress recently came close to passing federal omnibus privacy legislation and enacted heightened requirements for critical infrastructure operators. With some proposed rulemakings, the SEC and FTC are emphasizing the importance of transparency in cybersecurity risks and incidents and robust data security practices to protect consumer data.

In 2022, we saw significant progress on comprehensive federal privacy legislation. Although the American Data Privacy and Protection Act (“ADPPA”) was ultimately not enacted, the bipartisan federal privacy bill provided a useful framework that will likely pave the way for future attempts at enacting a federal privacy law.[1] Preemption and enforcement were some of the most contentious aspects of the bill, and the private right of action was also a sticking point. Commentators agree that these aspects of the bill were largely responsible for the end of the ADPPA’s movement through the legislative process. However, given the enormous support for a federal omnibus privacy law in the U.S., we expect to see new arguments raised in Congress on these roadblock issues in an effort to forge ahead with this important effort.

The FTC was a particularly active player in the regulation of data privacy and cybersecurity in 2022, taking a number of significant steps toward addressing issues related to commercial surveillance and data security, among others. In August 2022, the FTC initiated a rulemaking on commercial surveillance and data security, which could lead to the adoption of the first sweeping nationwide privacy regulation.[2] The FTC received over 11,000 public comments and responses to 95 separate questions on a variety of related topics. The rulemaking will remain an important area to watch in 2023.

Other notable legislative developments were the SEC’s proposals to impose stricter cybersecurity disclosure and reporting requirements for certain companies. In February 2022, the SEC proposed cybersecurity risk management and reporting rules for SEC-registered investment advisers.[3] The following month, the SEC announced proposed cybersecurity rules for publicly traded companies.[4] The proposed rules include new requirements relating to cyber risk management, strategy, governance and incident disclosures. Under the proposed rule, the SEC would require public companies to report all material cybersecurity incidents within four business days of determining the event’s materiality. Companies would be required to disclose their policies and procedures relating to cybersecurity risk and threat management, as well as any cybersecurity expertise of their directors. The agency has indicated that it intends to take final action on both proposed rules in April 2023.[5]

Last, but not least, last year Congress also adopted legislation imposing significant new reporting obligations on owners and operators of critical infrastructure: the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).[6] As required by CIRCIA, DHS’s Cybersecurity and Infrastructure Security Agency (“CISA”) published a Notice of Proposed Rulemaking in September 2022.[7] CISA sought public feedback on a range of topics, including which entities are covered by the requirements, the types of covered incidents, and the manner, timing, and form of reports.[8] Under CIRCIA, the final rule must be issued by March 2024.[9] Since CIRCIA will considerably expand reporting considerations, many entities are closely monitoring the rulemaking and preparing for potentially overlapping disclosure obligations. The emphasis on tighter critical infrastructure security is expected to continue in 2023. Recently, the Biden administration unveiled a national cybersecurity strategy calling for a more aggressive response to dealing with cyber threats, including by expanding requirements for critical infrastructure operators.[10]

While considerable progress is being made in Washington D.C. with respect to privacy and data security regulation, states continue to lead the way in this space by pushing their own initiatives forward.

2022 saw companies scrambling to become compliant with the California Privacy Rights Act (“CPRA”), even when the regulations were—once again—not finalized by the time the law took effect on January 1, 2023. Businesses that meet the CPRA’s revised applicability thresholds should be aware that the law imposes additional obligations on them (including with respect to previously exempted employee and business-to-business data), and they need to come into compliance now, if they have not already. The first-of-its-kind, privacy-focused state enforcement agency – the California Privacy Protection Agency (“CPPA”) – is set to begin enforcement in a few months on July 1, 2023. Also tasked with implementing the CPRA through regulations, the CPPA released proposed regulations in July 2022, and the rulemaking process is ongoing. The soonest we expect to receive finalized rules is April 2023. Although the current regulations are subject to change, they still provide helpful guidance for businesses that can be implemented now.

In addition to California, four other states – Colorado, Connecticut, Virginia, and Utah – will see their own comprehensive data privacy laws come into effect in 2023. The Virginia Consumer Data Protection Act (“VCDPA”), which went into effect on January 1, 2023, enumerates a number of privacy rights for Virginia consumers.[11] However, the VCDPA differs from California’s privacy law in several notable ways, and the enacted privacy laws in Colorado and Connecticut (effective July 1, 2023) and Utah’s privacy law (effective December 31, 2023) hew closely to the VCDPA.[12] Notably, unlike the privacy laws in California and Colorado, the newly enacted laws in Virginia, Connecticut and Utah do not provide for rulemaking by the attorney general. However, the laws provide state attorneys general with strong enforcement authority even without rulemaking powers. Tired of waiting for Congress to pass a federal privacy law, U.S. states are expected to continue enacting comprehensive consumer privacy bills. So far in 2023, at least 20 states are considering comprehensive consumer privacy legislation and more than 40 privacy bills have been introduced.[13]

Besides enacting comprehensive privacy legislation, the states are continuing to consider and enact bills addressing specific subsets of data, including with respect to children’s privacy and automated decision making. For example, following the lead of California’s Age Appropriate Design Code Act, which will take effect in 2024 and is aimed at protecting the wellbeing, data, and privacy of children under the age of eighteen using online platforms,[14] several states are also currently considering legislation to increase protections for children’s data. A handful of states are also considering bills addressing the collection and use of biometric data or health data and third-party data brokers. New York City also enacted its Automated Employment Decision Tools law, which will be enforced starting April 15, 2023. The law—which is similar to those enacted at the state level by Illinois and Maryland—regulates AI-driven tools in connection with employment processes, such as in hiring and promotion processes.[15] Although comprehensive privacy laws are also being considered, some states are electing to tackle segments of data and related issues one piece of legislation at a time.

In the cybersecurity space, New York continues to lead the way with proposals to strengthen the already stringent Part 500 cybersecurity rules for financial institutions regulated by the Department of Financial Services (“DFS”). Among other changes, the proposed amendments to Part 500 would increase cybersecurity oversight expectations for senior leaders, expand the set of events covered under the mandatory 72-hour notification requirements, introduce a new 24-hour reporting requirement for ransom payments, and heighten annual certification requirements. The public comment period for the proposed amendments closed in January 2023. In the coming months, DFS will either adopt final regulations or issue a further revised version.

As regulators seek to protect consumer data and raise the floor for cybersecurity standards to keep pace with the moving goalposts of new technology and cybersecurity threats, the flurry of federal and state legislative activity (and enforcements, discussed below) is only intensifying.

2. Substantial Uptick in Regulatory Scrutiny and Enforcement

In 2022, we saw a substantial uptick in regulatory scrutiny and enforcement. This year, we are expecting continued aggressive enforcement actions by federal and state authorities in numerous areas.

The FTC was a particularly active player in the enforcement of data privacy and cybersecurity in 2022. In particular, the FTC vigorously enforced the Children’s Online Privacy Protection Act (“COPPA”). In December 2022, the FTC reached the largest-ever settlement with a video game development company, under which the company agreed to pay $520 million for alleged violations of COPPA. Despite alleged awareness that many children played one of its games, the company allegedly proceeded to collect personal data without first obtaining parental consent. The FTC also filed a complaint earlier in 2022 against a diet and fitness services company, alleging collection of children’s information without providing notice to parents.[16] Another enforcement priority is education technology (“EdTech”) companies; the FTC has warned EdTech providers to heed children’s privacy rules.[17] Besides children’s privacy, FTC also focused on undisclosed data collection and sharing,[18] dark patterns,[19] and lax data security practices in 2022.[20] We expect these enforcement priorities to continue in 2023.

Concerns relating to the privacy of health- and location-related data are heightened as a result of Dobbs v. Jackson Women’s Health Organization. Against this backdrop, the FTC has signaled that this year it is scrutinizing data sharing by health-related companies and applications. In January, the FTC settled its first-ever enforcement action under the decade-old Health Breach Notification Rule, prohibiting a digital health platform and prescription service from selling personal information for third-party advertising.[21] Similarly, the FTC recently settled with an online counseling service company, requiring the company to stop sharing consumers’ sensitive health information with third parties for advertising purposes.[22] And the FTC recently provided a company-specific and general warning when declining to act in a merger review: companies should not share health information for advertising purposes absent express permission.[23]

State privacy enforcers also wielded considerable authority in 2022, capping the year with the largest multistate privacy settlement in U.S. history relating to the collection of location data by a large tech company.[24] Particularly, states have shared the FTC’s concern with dark patterns, or carefully crafted user interfaces that allegedly mislead consumers into making unintended choices.[25] Enforcement efforts under state laws (such as the Illinois Biometric Information Privacy Act (“BIPA”)) continue to address evolving technologies and methods of data collection. Large tech companies remain the targets of data privacy-related lawsuits and investigations from attorneys general, who have asserted legal theories ranging from deceptive practices to unauthorized collection of biometric data.

The Texas, California, and New York attorneys general have been particularly active in 2022. The Texas Attorney General launched the first suit against a large social media company under Texas’ Capture or Use of Biometric Identifier Act (“CUBI”) alleging illegal capture and use of biometric data retrieved from uploaded photos and videos.[26] There is not yet any meaningful precedent or case law discussing or construing CUBI. Meanwhile, the California Attorney General is “committed to the robust enforcement of California’s groundbreaking data privacy law.”[27] The attorney general has been sending violation notice letters via “enforcement sweeps” and announced its first settlement under the California Consumer Privacy Act (“CCPA”) against a retailer of beauty products for allegedly failing to disclose sales of consumers’ personal information and neglecting to process requests to opt out of such sales.[28] And, on the other coast, the New York Attorney General has been coordinating enforcement actions with DFS and other state attorneys general relating to data breaches. The Attorney General and DFS announced a settlement with a medical company for a combined penalty of $5.1 million following a data breach that allegedly compromised 2.1 million customers’ information.[29] New York was also part of an agreement along with 45 other states to settle with a major cruise line company for $1.25 million after a 2019 data breach at the company allegedly compromised the information of 180,000 employees and customers.[30]

It is clear that companies can expect to face increasing enforcement actions and associated costs relating to data privacy and security laws across the country.

3. Deluge of Private Litigation Amplifying Focus on Privacy and Cybersecurity Issues

In addition to the regulatory actions discussed above, there was an abundance of private litigation under state laws in 2022. Across the U.S., courts heard matters relating to privacy and cybersecurity issues.

Specifically, the CCPA grants consumers a limited private right of action for data breaches, creating an additional front for data custodians to litigate in the event of a data breach. Since the CCPA went into effect in 2020, many cases have been filed across the U.S. for breaches of the duty to implement and maintain reasonable security practices under the CCPA. The courts where these cases are filed – primarily in California – are continuing to give shape to the contours of the CCPA. Companies should also prepare for more lawsuits alleging violations of Illinois’ biometric privacy law, which provides for a privacy right of action, after two recent rulings from the Illinois Supreme Court. On February 2, the Court ruled that claims under BIPA have a five-year statute of limitations.[31] And, on February 17, the Court ruled that BIPA claims accrue with every scan or transmission of biometric information without prior informed consent (rather than simply the first time).[32] These rulings emphasize the potential for enormous damages in BIPA suits and the importance of complying with BIPA’s requirements.

2022 also saw a new wave of lawsuits brought under federal and state anti-wiretapping statutes. The suits allege that businesses and their software providers are violating state anti-wiretapping statutes and invading consumers’ privacy rights through various “session replay” technologies without obtaining sufficient and valid consent.[33] These tools essentially allow businesses and their session replay service providers to analyze visitors’ interactions with their public website or applications to understand use patterns. Companies are assessing their use of these technologies and closely monitoring the suits due to an increase in threatened litigation and pay-out demands.

In 2023, the enacted and upcoming changes to data privacy laws will continue to significantly impact privacy and data breach litigation in various ways. Consumer-facing companies can expect to face increasing costs in this regard. For companies that collect biometric information, it will be important to closely monitor bills modeled after BIPA, which are being considered in at least seven legislatures this year. 

Key Takeaways for Companies to Consider

In conclusion, companies should expect a similar, rapid rate-of-change to continue in the year ahead. 2023 will undoubtedly bring new developments as various stakeholders—companies, governments, and the general public—react to unpredictable challenges and opportunities. It is important to continue tracking these important issues in the year ahead; in 2023, companies will be well-served to:

• continue to assess their data practices (including the collection and flows of personal information) and ensure they are compliant with newly enacted privacy laws;
• monitor and track updates to the various federal rulemakings that are in progress and the privacy bills making their way through state legislatures; and
• consider whether changes to their cyber programs may be required, including by addressing and preparing for potentially overlapping incident disclosure obligations under state, federal and international laws.

Footnotes

[1] Actions – H.R. 8152 – 117th Congress (2021-22): American Data Privacy and Protection Act, 117th Cong. (2022).

[2] Trade Regulation Rule on Commercial Surveillance and Data Security, 87 Fed. Reg. 51273 (published Aug. 22, 2022), available at https://www.federalregister.gov/documents/2022/08/22/2022-17752/trade-regulation-rule-on-commercial-surveillance-and-data-security.

[3] Cybersecurity Risk Management for Investment Advisers, Registered Investment, 87 Fed. Reg. 13524, 13561 (proposed Mar. 9, 2022) (to be codified at 40 C.F.R. pts. 230-279).

[4] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, 87 Fed. Reg. 16590, 16595 (proposed Mar. 23, 2022) (to be codified at 17 C.F.R. pts. 229-249).

[5] Off. of Mgmt. and Budget, Off. of Info. & Reg. Affs., Cybersecurity Risk Governance (3235-AN08), https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202210&RIN=3235-AN08 (last visited Mar. 1, 2023).

[6] Cyber Incident Reporting for Critical Infrastructure Act of 2022, H.R. 2471, 116th Cong. (2022).

[7] Request for Information on the Cyber Incident Reporting for Critical Infrastructure Act of 2022, 87 Fed. Reg. 55833 (published Sept. 12, 2022), available at https://www.federalregister.gov/documents/2022/09/12/2022-19551/request-for-information-on-the-cyber-incident-reporting-for-critical-infrastructure-act-of-2022.

[8] CISA hosted a series of public listening sessions from September through November 2022 to receive input on the forthcoming proposed regulations. See Cyber Incident Reporting for Critical Infrastructure Act of 2022 Listening Sessions, 87 Fed. Reg. 55830 (published Sept. 12, 2022), available at https://www.federalregister.gov/documents/2022/09/12/2022-19550/cyber-incident-reporting-for-critical-infrastructure-act-of-2022-listening-sessions; Cyber Incident Reporting for Critical Infrastructure Act of 2022: Washington, D.C. Listening Session, 87 Fed. Reg. 60409 (published Oct. 5, 2022), available at https://www.federalregister.gov/documents/2022/10/05/2022-21635/cyber-incident-reporting-for-critical-infrastructure-act-of-2022-washington-dc-listening-session.

[9] Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), Cybersecurity & Infrastructure Security Agency, available at https://www.cisa.gov/circia.

[10] National Cybersecurity Strategy, March 2023, White House, https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.

[11] Virginia Consumer Privacy Act (“VCDPA”), S.B. 1392, 2021 Sess. (Va. 2021) (to be codified in Va. Code tit. 59.1 §§ 59.1-571 to 581).

[12] Colorado Privacy Act (“CPA”), S.B. 21-190, 73rd Gen. Assemb., Reg. Sess. (Colo. 2021) (to be codified in Colo. Rev. Stat. Title 6); Connecticut Data Privacy Act (“CTDPA”), S.B. 6, 2022, Gen. Assemb., Reg. Sess. (Conn. 2022); Utah Consumer Privacy Act (“UCPA”), S.B. 227, 2022 Leg. Sess. (Utah 2022).

[13] Amy Miller, US states propose comprehensive privacy bills, with familiar divide over enforcement, MLex, Mar. 1, 2023, https://content.mlex.com/#/content/1453030.

[14] Cal. Civ. Code §§ 1798.99.28-.40.

[15] N.Y.C., No. 1894-2020A § 20-870 (Nov. 11, 2021), available at https://legistar.council.nyc.gov/LegislationDetail.aspx?ID=4344524&GUID=B051915D-A9AC-451E-81F8-6596032FA3F9.

[16] Complaint, U.S. v. Kurbo, Inc. and WW International, Inc., FTC Docket No. 22-CV-946 (Feb. 16, 2022).

[17] Federal Trade Commission, Policy Statement of the Federal Trade Commission on Education Technology and the Children’s Online Privacy Protection Act (2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/Policy%20Statement%20of%20the%20Federal%20Trade%20Commission%20on%20Education%20Technology.pdf .

[18] Press Release, Federal Trade Commission, FTC Charges Twitter with Deceptively Using Account Security Data to Sell Targeted Ads (May 25, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/05/ftc-charges-twitter-deceptively-using-account-security-data-sell-targeted-ads.

[19] Staff Report, Federal Trade Commission, Bringing Dark Patterns to Light (Sept. 15, 2022), https://www.ftc.gov/system/files/ftc_gov/pdf/P214800%20Dark%20Patterns%20Report%209.14.2022%20-%20FINAL.pdf.

[20] See, e.g., Press Release, Federal Trade Commission, FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers (Oct. 24, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/10/ftc-takes-action-against-drizly-its-ceo-james-cory-rellas-security-failures-exposed-data-25-million; Press Release, Federal Trade Commission, FTC Finalizes Action Against CafePress for Covering Up Data Breach, Lax Security (June 24, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/06/ftc-finalizes-action-against-cafepress-covering-data-breach-lax-security-0.

[21] Complaint for permanent injunction, civil penalties, and other relief, United States of America vs. GoodRx Holdings, Inc., Case No. 23-cv-460 (Dist. Ct. Nor. Dist. of Cali.), available at https://www.ftc.gov/system/files/ftc_gov/pdf/goodrx_complaint_for_permanent_injunction_civil_penalties_and_other_relief.pdf; Health Breach Notification Rule, 74 FR 42961 (finalized Aug. 25, 2009) (codified at 16 CFR Part 318).

[22] In the Matter of BetterHelp, Inc., Docket No. 2023169, Federal Trade Commission (March 2, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/2023169-betterhelp-complaint_.pdf.

[23] Joint Statement of Chair Khan, Commissioner Slaughter, Commissioner Wilson, and Commissioner Bedoya Regarding Amazon.com, Inc.’s Acquisition of 1Life Healthcare, Inc., Federal Trade Commission (Feb. 27, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/2210191amazononemedicalkhanslaughterwilsonbedoya.pdf.

[24] Google will pay $392m to 40 states in largest ever US privacy settlement, The Guardian (Nov. 14, 2022), https://www.theguardian.com/technology/2022/nov/14/google-settlement-40-states-user-location-tracking.

[25] As an example, the New York Attorney General’s Office secured $2.6 million in disgorged profits from an online travel company for use of deceptive online advertising including the use of dark patterns. See Press Release, NY Attorney General, Attorney General James Secures $2.6 Million From Online Travel Agency for Deceptive Marketing (Mar. 16, 2022), available at https://ag.ny.gov/press-release/2022/attorney-general-james-secures-26-million-online-travel-agency-deceptive.

[26] Press Release, Attorney General of Texas, Paxton Sues Facebook for Using Unauthorized Biometric Data (Feb. 14, 2022), available at https://www.texasattorneygeneral.gov/news/releases/paxton-sues-facebook-using-unauthorized-biometric-data.

[27] Press Release, State of California Department of Justice, Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act (Aug. 24, 2022), available at https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement.

[28] Id.

[29] Press Release, NY Attorney General, Attorney General James Announces $600,000 Agreement with EyeMed After 2020 Data Breach (Jan. 24, 2022), available at https://ag.ny.gov/press-release/2022/attorney-general-james-announces-600000-agreement-eyemed-after-2020-data-breach; Press Release, NY Dep’t of Fin. Servs., DFS Superintendent Harris Announces $4.5 Million Cybersecurity Settlement With EyeMed Vision Care LLC, Oct. 18, 2022, https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202210181.

[30] Press Release, NY Attorney General, Attorney General James Recovers $1.25 Million for Consumers Affected by Carnival Cruise Line’s Data Breach (June 23, 2022), available at https://ag.ny.gov/press-release/2022/attorney-general-james-recovers-125-million-consumers-affected-carnival-cruise; Press Release, NY Dep’t of Fin. Servs., DFS Superintendent Harris Announces $5 Million Penalty On Cruise Company Carnival Corporation And Its Subsidiaries For Significant Cybersecurity Violations (June 24, 2022), available at https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202206241.

[31] Tims, et al. v. Black Horse Carriers, Inc., 2023 IL 127801 (Ill. Feb. 2, 2023).

[32] Latrina Cothron v. White Castle System, Inc. 2023 IL 128004 (Ill. Feb. 17, 2023).

[33] See, e.g., Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022); Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687 (3d Cir. 2022).

Alexander H. Southwell is a partner and Snezhana Stadnik Tapia is an associate at Gibson Dunn & Crutcher LLP. This post first appeared on the firm’s blog.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).